Declare that Hungary has failed to fulfil its obligations under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data by removing the data protection supervisor from office before time.

Order Hungary to pay the costs.

Pleas in law and main arguments

Directive 95/46/EC provides that one or more public authorities of the Member States, which are to act with complete independence in exercising the functions entrusted to them, are to be responsible for monitoring the application of the national provisions transposing that Directive.

In Hungary, that authority was, until 31 December 2011, the data protection supervisor. Under the Hungarian legislation in force until 31 December 2011, the data protection supervisor was elected by the Hungarian Parliament for a period of six years. The term of office of the data protection supervisor in post on 31 December 2011 began on 29 September 2008, so that, in normal circumstances, he should have remained in post until September 2014.

With effect from 1 January 2012 the Hungarian legislation on this subject was amended. As a result of those amendments, the post of data protection supervisor was withdrawn and the data protection supervisor who had occupied the post since 29 September 2008 was removed from office. The authority responsible for supervising data protection in Hungary, within the meaning of Directive 95/46 was thereafter the newly created Nemzeti Adatvédelmi és Információszabadság Hatóság (national authority for data protection and freedom of information, 'the authority'). According to the new legislation, the head of that authority is appointed by the President of the Republic on the proposal of the Prime Minister for a term of nine years. The previous data protection supervisor was not appointed to that post.

In the opinion of the Commission, the removal from office before time of the authority responsible for supervising data protection undermines the independence required by the Directive of that authority. The Directive does not fix the duration of the term of office of that supervisory authority, so that, in principle, the Member States are free to fix it. However, the term of office has to be of reasonable duration and it is indispensable that once a Member State has fixed the duration of that term of office, that duration should be respected. Otherwise, there would be a risk that the exercise of the functions of the supervisory authority would be influenced by the risk of removal from office before time, and that risk would undermine the independence of that authority.

As regards the admissibility of the application, the Commission alleges that, given that the authority previously entrusted with the supervision of data was not reinstated before the end of the period prescribed in the reasoned opinion, the infringement had not been remedied at that time. It takes the view that it is not impossible to remedy the infringement: Hungary needs to adopt the necessary measures to reinstate the previous data protection supervisor in the post referred to in Directive 95/46 for the remainder of his term of office from 31 December 2011. The Commission would consider it an adequate remedy if the previous data protection supervisor were appointed for that period of time to the post of head of the new authority. In that regard, Hungary cannot pray in aid the independence of the current head of the new authority, because that would require it to plead its own infringement in its defence. The effects of the infringement must be remedied, not maintained.

According to the Commission, removal from office before time can only be justified by overriding and objectively verifiable reasons, but Hungary has not put forward any such reasons.

The Commission does not dispute the right of Hungary to reorganise the supervisory authority, moving, for example, from the previous model of 'data protection supervisor' to a model consistent with Hungarian law in the form of an 'authority'. However, the reform of the type of institution did not require in any way that the previous supervisory authority be removed from office. Hungary could have provided in its national legislation either that the new model should be applicable once the term of office of the data protection supervisor occupying the post had expired, or that the previous data protection supervisor should be appointed the first head of the new authority for the remainder of his term of office.

According to the Commission, if the position of the Member State regarding the change of model were to be accepted, all authorities responsible for supervising data protection in the Union would be permanently exposed to the risk of removal from office through a legislative measure cancelling the existing authority and establishing a newly created authority in its place to carry out the functions set out in Directive 95/46. It cannot be ruled out that such reforms could be used to penalise and monitor the authorities responsible for supervising data protection which earn the disapproval of the political authorities. The slightest risk of such influence is incompatible with the total independence of the supervisory authorities.

On the other hand, in the opinion of the Commission, Hungary cannot rely on vague statements by the previous data protection supervisor published in the press to presume that the latter was not prepared to fulfil the functions provided for by Article 28 of Directive 95/46, or to remove him from office before time on that basis.